I am trying to solve a problem, where I am analyzing some http traffic using bro. To limit the bro log sizes, I want to capture only those http events which which have certain string patterns in their bodies. The string patterns will be unique for each host + uri pair. I am putting this info a file host, uri, regex in a file and loading it into bro using file input framework. I want to apply the regex on the http body if the host and uri matches. When I try to use to search the body using:

find_all(body, string_to_pattern(regex_string_from_file, T));

I get some very weird behavior. The code in the entire block after string_to_pattern statement is not executed (and I don’t get any error). This happens when I run it on command line against a pcap.

To understand the problem better, I tried reproduce the problem on I get the following error when I use string_to_pattern in my script on the website. Would like to understand the reason behind this restriction? Also, Would like to know there any alternative solutions I can pursue to solve my problem? Any help is appreciated. Thanks.


1320279566.452687 error in ././trybro.bro, line 17: string_to_pattern can only be called at init time (string_to_pattern(Hello, World, T))

Bro currently doesn't support creating regular expressions values
dynamically during runtime. The reason is an unfortunate internal
deficiency: regexp values don't fully clean up their memory when
deleted, meaning that frequent instantiating/destroying would lead to
significant memory leaks.